moving DNSSEC to a hidden master

Alan Clegg alan at clegg.com
Wed Oct 2 01:26:23 UTC 2013 

On Oct 1, 2013, at 9:04 PM, Sten Carlsen <stenc at s-carlsen.dk> wrote:

> 
> On 02/10/13 02.47, Alan Clegg wrote:
>> On Oct 1, 2013, at 8:27 PM, David Newman <dnewman at networktest.com>
>>  wrote:
>> 
>> 
>>> On 10/1/13 2:16 PM, David Newman wrote:
>>> 
>>>> Is there a recommended order of operations when moving DNSSEC-enabled
>>>> nameservers to a hidden-master setup?
>>>> 
>>> Actually, this is really a more general question: Is there a recommended
>>> order of operations when migrating zones between any two DNSSEC-enabled
>>> nameservers, assuming the same version of bind on each?
>>> 
>> Eh... I'm not sure what the complexity here is.
>> 
>> Set the "new" machine up as a slave, use the standard axfr mechanism to replicate the zones, move the keying material and then convert the new system form slave to master while taking the existing master off-line.
>> 
>> What am I missing?

> I believe that was the question, what is missing here - if anything. Seems too easy, there has to be a catch.
> Anything to do to catch up on internal states, How to be sure the new master will continue exactly as the old one had done. Maybe it is that simple, that would be great, but if you are not sure, it is a good question to ask.

Fair enough.

David:  I've done this quite a few times and haven't had issues.

I guess there _could_ be an issue if you are not careful, take too long getting the new master online and allow RRSIGs to expire.  If you've been careful previously and don't take over 10 days to get the new master online (assuming default signature lifetime), all should be fine.

The original post mentioned moving .jnl files, etc. which I would not recommend.  Don't try to "replicate" the initial master by moving all of the files; allow the protocol to do the work replicating the zone data and you should be able to just copy the keying material across.

Of course, you will need to make sure that you have the new master configured to do the signing in the same way as you did on the "being-retired" master server.

(and as a side note, never use zero TTLs)

AlanC
-- 
Alan Clegg | +1-919-355-8851 | alan at clegg.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131001/fa0d9fc6/attachment.bin>

More information about the bind-users mailing list